Introduction
Role-Based Access Control (RBAC) in Databricks Unity Catalog allows administrators to manage user permissions on catalogs, schemas, tables, and clusters. However, RBAC failures can result in unexpected access denials, inability to assign roles, or missing resources for certain users.
🚨 Common RBAC issues in Databricks:
- Users cannot access Unity Catalog objects (catalogs, schemas, or tables).
- Permission denied errors (
PERMISSION_DENIED
) appear in SQL queries. - RBAC roles (like Owner, Reader, or Editor) do not apply correctly.
- Group-based permissions do not reflect in Databricks workspace.
This guide covers troubleshooting steps and solutions for RBAC issues in Databricks.
1. Verify That Unity Catalog RBAC Is Enabled
Symptoms:
- RBAC roles do not appear in the Databricks workspace UI.
- RBAC permission settings are missing from Admin Console.
- Users can access all data despite applied role restrictions.
Causes:
- Unity Catalog must be enabled for RBAC to work.
- RBAC is not supported for legacy Hive Metastore.
Fix:
✅ Check if Unity Catalog is enabled:
SHOW CATALOGS;
- If only
hive_metastore
appears, Unity Catalog is not enabled.
✅ Enable Unity Catalog by creating a metastore:
databricks unity-catalog metastores create --region <region> --s3-bucket <s3-bucket-name>
✅ Assign Unity Catalog to the workspace:
databricks unity-catalog metastores assign --metastore-id <metastore-id> --workspace-id <workspace-id>
✅ Ensure users are working with Unity Catalog objects and not Hive Metastore.
2. Check User Permissions for Unity Catalog Objects
Symptoms:
- Error: “Permission denied: Cannot access catalog/schema/table.”
- Users cannot list catalogs, schemas, or tables in Unity Catalog.
- Roles like OWNER, SELECT, MODIFY do not apply correctly.
Causes:
- Users do not have explicit permission on Unity Catalog objects.
- Admin access does not automatically grant access to all objects in Unity Catalog.
- Permissions assigned at the wrong level (schema instead of catalog or table).
Fix:
✅ List user permissions on a catalog:
SHOW GRANTS ON CATALOG my_catalog;
✅ Grant the correct permissions to users or groups:
GRANT USE CATALOG ON CATALOG my_catalog TO `user@example.com`;
GRANT USE SCHEMA ON SCHEMA my_schema TO `user@example.com`;
GRANT SELECT ON TABLE my_catalog.my_schema.my_table TO `user@example.com`;
✅ To grant full access, assign ownership:
GRANT OWNERSHIP ON CATALOG my_catalog TO `user@example.com`;
✅ Ensure that group-based permissions are applied correctly.
GRANT SELECT ON TABLE my_table TO `my_group`;
✅ If using Azure AD groups, sync groups with Databricks:
databricks groups list
If a group is missing, manually sync users from Azure AD.
3. Group-Based RBAC Not Working
Symptoms:
- Users assigned to a Databricks group do not inherit permissions.
- Group permissions do not apply to catalogs, schemas, or tables.
- Azure AD or AWS IAM group roles are not reflected in Databricks.
Causes:
- Groups are not correctly synced between Identity Provider (IdP) and Databricks.
- Users are not recognized as part of the group in Databricks.
- Permissions were assigned before the user joined the group.
Fix:
✅ Verify if the group exists in Databricks:
databricks groups list
✅ Check if the user is part of the group:
databricks groups get --group-name my-group
✅ If missing, manually add the user to the group:
databricks groups add-member --group-name my-group --user-name user@example.com
✅ Ensure group-based permissions are applied correctly:
GRANT SELECT ON TABLE my_catalog.my_schema.my_table TO `my_group`;
✅ If using Azure AD groups, sync with Databricks:
az ad group member add --group my-group --member-id <user-object-id>
✅ For AWS IAM, attach the correct role to the Databricks workspace.
4. RBAC Permissions Not Applying in Clusters or SQL Warehouses
Symptoms:
- RBAC permissions work in some clusters but not others.
- SQL Warehouse users cannot access Unity Catalog objects.
- Cluster-scoped permissions override Unity Catalog RBAC.
Causes:
- Clusters must be Unity Catalog-enabled for RBAC to work.
- SQL Warehouses need Unity Catalog permissions assigned separately.
- Hive Metastore clusters do not support RBAC (only Unity Catalog does).
Fix:
✅ Ensure the cluster supports Unity Catalog:
- Go to Databricks UI → Clusters
- Edit Cluster → Advanced Options → Enable Unity Catalog
✅ Check if SQL Warehouse has the right permissions:
GRANT USAGE ON CATALOG my_catalog TO `user@example.com`;
✅ Restart the cluster or SQL Warehouse after applying RBAC changes.
5. Cannot Grant Privileges Due to Missing Ownership
Symptoms:
- Error: “User does not have ownership privileges to grant permissions.”
- Admin users cannot grant permissions on existing objects.
Causes:
- Only the OWNER of an object can grant permissions (admins do not override ownership).
- The object was created by another user, who is still the owner.
Fix:
✅ Check the current owner of the catalog, schema, or table:
SHOW GRANTS ON CATALOG my_catalog;
✅ Change ownership to an admin user if necessary:
GRANT OWNERSHIP ON CATALOG my_catalog TO `admin@example.com`;
✅ Once ownership is assigned, grant privileges:
GRANT USAGE ON CATALOG my_catalog TO `user@example.com`;
6. Cannot See Unity Catalog Objects in UI
Symptoms:
- Users do not see catalogs, schemas, or tables in the UI.
- Running
SHOW CATALOGS;
returns empty results.
Causes:
- Users do not have the
USE CATALOG
permission. - RBAC settings restrict visibility to specific users.
Fix:
✅ Grant catalog access explicitly:
GRANT USE CATALOG ON CATALOG my_catalog TO `user@example.com`;
✅ If using a group, grant permissions at the group level:
GRANT USE CATALOG ON CATALOG my_catalog TO `my_group`;
✅ Ensure workspace permissions allow users to see catalogs.
Step-by-Step Troubleshooting Guide
Step 1: Verify Unity Catalog Is Enabled
SHOW CATALOGS;
- If only
hive_metastore
appears, Unity Catalog is not enabled.
Step 2: Check User Permissions
SHOW GRANTS ON CATALOG my_catalog;
- Ensure the user has
USE CATALOG
andSELECT
permissions.
Step 3: Check Group Memberships
databricks groups get --group-name my-group
- Ensure the user is part of the correct Databricks group.
Step 4: Ensure Clusters and Warehouses Are Unity Catalog-Enabled
- Restart clusters and enable Unity Catalog in cluster settings.
Step 5: Change Ownership if Needed
GRANT OWNERSHIP ON CATALOG my_catalog TO `admin@example.com`;
Best Practices for RBAC in Databricks Unity Catalog
✅ Use Group-Based RBAC Instead of User-Based Permissions
- Manage permissions at the group level rather than assigning them per user.
✅ Regularly Review User and Group Permissions
SHOW GRANTS ON CATALOG my_catalog;
✅ Ensure Clusters and Warehouses Support Unity Catalog
- Legacy clusters do not support RBAC in Unity Catalog.
✅ Sync Azure AD or AWS IAM Groups With Databricks
- Ensure identity provider (IdP) groups are reflected in Databricks.
Conclusion
If RBAC is not working in Databricks, ensure:
✅ Unity Catalog is enabled.
✅ Users have explicit USE CATALOG
and SELECT
permissions.
✅ Clusters and SQL Warehouses support Unity Catalog.
✅ Group-based permissions are correctly assigned.
✅ Ownership is properly configured for managing permissions.
By following this guide, RBAC in Databricks Unity Catalog will function correctly.